Vigil@nce: PHP, information disclosure via session_start
December 2009 by Vigil@nce
An attacker can use a long session cookie, in order to obtain the installation path of the web site.
Consequences: data reading
Provenance: internet client
Means of attack: 1 attack
Ability of attacker: technician (2/4)
Confidence: multiples sources (3/5)
Diffusion of the vulnerable configuration: high (3/3)
Creation date: 29/12/2009
DESCRIPTION OF THE VULNERABILITY
The PHP session_start() function initializes the session.
Sessions are saved in a temporary directory: /tmp/sess_[name-of-the-session]
However, if the session name is longer than the maximal file name size, an error occurs in the session_start() function. The error message contains the installation path of the web site: Warning: session_start() open(/tmp/sess_aaa..aa) in /path/page.php
An attacker can therefore use a long session cookie, in order to obtain the installation path of the web site.